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EDP  AUDITS 
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The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  report  is  our  EDP  follow-up  audit  of  general  controls  relating  to  the 
University's  data  processing  center  (93DP-38).   The  original  audit  reviewed  the 
general  controls  over  Computing  and  Information  Services  at  The  University  of 
Montana  -  Missoula.   This  report  contains  the  implementation  status  of  the  original 
recommendations  for  improving  EDP  controls  at  the  center.   The  original  findings 
addressed  improving  physical  and  electronic  access  security,  system  development 
services,  and  organizational  controls.   Written  responses  to  the  audit 
recommendations  are  included  in  the  back  of  the  audit  report. 

We  thank  The  University  of  Montana  -  Missoula  for  their  cooperation  and 
assistance  throughout  the  audit. 
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Chapter  I  -  Introduction  and  Background 


Introduction 


We  performed  a  follow-up  review  of  our  electronic  data  processing 
audit  (93DP-38)  of  The  University  of  Montana's  Computing  and 
Information  Services  facility.   In  June  1994,  we  issued  our  original 
report  which  contained  thirteen  recommendations  for  improving 
existing  controls  within  the  University's  electronic  data  processing 
environment.   This  report  outlines  the  implementation  status  of  the 
recommendations  related  to  general  and  application  controls 
contained  in  our  original  report. 


General  Background 


The  University  of  Montana  (University)  is  a  state  funded,  liberal 
arts  university  established  in  1893.   The  University  is  a  part  of  the 
Montana  University  System,  which  includes  two  universities  and 
colleges  and  total  enrollment  of  approximately  33,600  students. 


The  University  established  the  Computing  and  Information  Services 
Branch  (CIS)  to  support  instructional,  research,  and  administrative 
activities,  by  providing  computing  and  electronic  communication 
facilities  and  services  to  campus  employees  and  students.   CIS 
maintains  the  University's  mainframe  operations  and  supports 
several  locally  developed  mainframe  applications  including:   the 
personnel-payroll  system,  College  and  University  Financial  System 
(CUFS),  and  the  student  information  system  (BANNER).   CIS  is 
organized  into  four  major  functions  managed  by  a  central  adminis- 
trative staff.   These  functions  include:   Administrative  Information 
System  Development  Services,  Computing  and  Network  Services, 
Electronic  Maintenance  Services,  and  Electronic  Communication 
Services. 


Background  on  Original 
Audit 


We  performed  an  electronic  data  processing  (EDP)  audit  of  the 
University's  CIS  facility.   The  objectives  of  our  EDP  audit  were  to 
determine  the  adequacy  of  EDP  general  controls  existing  within  the 
CIS  environment.    General  controls  are  a  component  of  the  overall 
internal  control  environment  of  computer-based  applications  (i.e. 
CUFS,  BANNER).   Data  processing  general  controls  are  designed 
to  ensure  computer  programs  work  consistently  and  properly;  data 
files  and  resources  are  accessed  only  as  authorized;  and  the  entire 
data  processing  operation  is  adequately  protected  to  ensure 
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continued  operation  during  normal  and  contingency  situations. 
Adequacy  of  the  general  controls  provides  assurance  over  integrity 
of  data  processed  by  the  University  mainframe  computer.    EDP 
general  controls  are  described  in  greater  detail  in  the  following 
paragraph. 


EDP  Audit  General  EDP  controls  provide  assurance  over  the  accuracy,  reliability,  and 

Controls  integrity  of  the  information  processed.   From  the  audit  work,  a 

determination  is  made  as  to  whether  controls  exist  and  are  operat- 
ing as  designed.   A  general  control  review  includes  an  examination 
of  the  following  controls: 

Organizational  -  apply  to  the  structure  and  management  of  the 
computing  and  information  services  facility.    Specific  types  of 
organization  controls  include  segregation  of  duties,  assignment  of 
responsibilities,  rotation  of  duties,  and  supervision. 

Procedural  -  operating  standards  and  procedures  which  ensure  the 
reliability  of  computer  processing  results  and  protect  against 
processing  errors. 

Hardware  and  Software  -  controls  within  the  operating  system 
software  and  hardware  which  monitor  and  report  system  error 
conditions. 

System  Development  -  oversight  and  supervisory  controls  imposed 
on  development  projects.   Controls  include  feasibility  studies, 
development,  testing  and  implementation,  documentation,  and 
maintenance. 

Physical  Security  -  physical  site  controls  including  security  over 
access  to  the  computer  facility,  protection  devices  such  as  smoke 
alarms  and  sprinkler  systems,  and  disaster  prevention  and  recovery 
plans. 

Electronic  Access  -  controls  which  allow  or  disallow  user  access  to 
electronically  stored  information  such  as  data  files  and  application 
programs. 
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Follow-Up  Audit  Scope 


The  audit  objective  was  to  determine  the  implementation  status  of 
the  original  audit  recommendations  relating  to  general  controls. 
We  reviewed  agency  documentation  and  interviewed  staff  to 
evaluate  implementation  of  prior  audit  recommendations. 


Follow-Up  Results 


The  prior  EDP  audit  included  12  recommendations  addressed  to 
The  University  of  Montana  -  Missoula.   Of  the  12  recommenda- 
tions to  the  University,  7  are  implemented,  3  are  partially 
implemented,  and  one  is  not  implemented.    The  remaining  recom- 
mendation is  no  longer  applicable. 


The  report  also  included  one  recommendation  to  the  Board  of 
Regents  of  the  Montana  University  System.   The  Board  of  Regents 
did  not  implement  the  recommendation.    We  summarize  the  status 
of  the  13  recommendations  in  Chapter  II  of  this  report. 
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Introduction 


This  chapter  discusses  the  status  of  each  recommendation  made  in 
our  initial  report.   Discussion  of  each  recommendation  is  organized 
as  follows: 


1.  Audit  Area. 

2.  Recommendation. 

3.  Initial  Agency  Response  (from  the  prior  EDP  Audit  report). 

4.  Present  Implementation  Status. 


Physical  Security 
Controls 


Physical  security  controls  provide  security  against  accidental  loss  or 
destruction  of  data  and  program  files  or  equipment  and  ensure 
continuous  operation  of  EDP  functions.   During  the  initial  audit  we 
reviewed  existing  physical  controls  in  place  at  the  CIS  facility.   We 
noted  CIS  installed  computer  hardware  on  a  raised  floor.   Smoke 
alarms  function  properly.   Air  conditioning  maintains  controlled 
computer  room  temperature  and  the  power  supply  meets  computing 
equipment  needs.   However,  we  noted  instances  where  CIS  could 
improve  physical  controls  over  computer  operations. 


We  made  four  recommendations  related  to  physical  security 
controls.   The  present  status  of  these  findings  is  discussed  in  the 
following  sections. 


The  University  Should 
Establish,  Test,  and  Docu- 
ment a  Formal  Disaster 
Recovery  Plan 


Recommendation  #1 

We  recommend  the  University  establish,  test,  and  docu- 
ment a  formal  disaster  recovery  plan. 


Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   We  agree  we 
must  formalize  and  revise  our  computing  center  disaster  recovery 
plans.   We  began  discussions  last  fall  on  the  development  of  such  a 
plan,  but  once  the  restructuring  plans  were  adopted  by  the  Board  of 
Regents,  we  realized  additional  opportunities  which  we  are 
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currently  exploring.  A  recently  formed  task  force  is  developing  a 
draft  plan  for  campus  review  in  early  Fall  1994.  Once  the  review 
process  is  completed,  contingent  upon  available  resources,  we  will 
appropriately  revise,  test,  and  implement  the  plan. 

One  potential  component  of  the  plan  is  to  locate  a  remote 
computing  facility  somewhere  other  than  on  the  main  Missoula 
campus.   This  facility  could  be  connected  to  the  main  campus  with 
a  high-speed  network.   We  recently  acquired  some  of  the  necessary 
components  for  this  facility. 

Present  Implementation  Status 

This  recommendation  has  not  been  implemented.   The 

University  has  not  established  a  formal  disaster  recovery  plan. 
Although  the  task  force,  mentioned  above,  drafted  recovery  proce- 
dures, the  University  is  in  the  process  of  reorganizing  its  comput- 
ing services  and  operations.   Following  restructuring  of  the  Univer- 
sity System,  The  University  of  Montana  -  Missoula  intends  to 
develop  a  disaster  recovery  plan  which  incorporates  all  University 
of  Montana  campuses.   For  example,  the  University  plans  to 
acquire  the  necessary  hardware  and  configuration  for  multi-campus 
backup  processing  services.   The  University  expects  to  complete 
formal  disaster  recovery  procedures  by  October  1,  1996  or  follow- 
ing completion  of  the  University  System  restructuring  and  reorgani- 
zation. 


Uninterruptable  Power 

Supply  Recommendation  #2 


We  recommend  the  University  evaluate  purchasing  an 
alternative  power  backup  system  for  the  Computing  and 
Information  Services  computing  center. 


Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   An  uninter- 
ruptable power  supply  (UPS)  remains  to  be  a  funding  issue.   We 
formulated  a  plan  which  identifies  critical  locations  around  campus 
where  it  is  important  to  ensure  uninterrupted  computing  and  net- 
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working  capabilities.   Periodically  a  cost  analysis  is  performed, 
whereby  we  weigh  the  cost  of  lost  processing  time  to  the  cost  of 
acquiring  an  UPS.   We  will  again  review  the  plan  and  update  the 
cost  analysis.   We  will  consider  UPS  purchases  in  Fiscal  Year 
1996  budget  allocations. 

However,  we  do  not  agree  with  the  assertion  in  the  audit  report 
that  the  University  could  sustain  computer  application  processing 
errors.   In  the  event  of  a  power  failure,  the  computer  power 
conditioner  and  self-contained  backup  power  supply  systems  fully 
protect  the  hardware  and  programs,  including  data  files,  from 
damage.    An  UPS  has  no  effect  upon  the  reliability  of  processing 
results  or  upon  the  efficient  restoration  of  computing  operations. 

Present  Implementation  Status 

The  recommendation  is  implemented.   In  January  1995  the 

University  installed  an  uninterruptable  power  supply  system  for  its 

mainframe  data  processing  center.   The  UPS  provides  temporary 

power  to  mainframe  hardware  during  complete  power  outages  and 

allows  personnel  to  complete  an  orderly  shutdown  of  computer 

hardware. 


The  University  Should 
Implement  Existing 
Physical  Security  Controls 


Recommendation  #3 

We  recommend  the  University: 

A.  Implement  cost-effective  controls  to  prevent  or  limit 
damage  to  computer  center  equipment. 

B.  Remove  and  properly  dispose  of  the  computer  center 
halon  tanks. 


Initial  Agency  Response 

A.     The  University  concurs  with  the  recommendation.   We  will 
take  the  steps  necessary  to  ensure  training  is  provided  to 
appropriate  computer  center  personnel  on  use  of  the  fire 
extinguisher.   We  will  also  reconnect  the  electronic  device 
which  monitors  and  reports  room  temperature,  power  and 
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noise  irregularities.   Implementation  of  both  corrective  actions 
will  occur  by  30  June  1994. 

B.     The  University  concurs  with  the  recommendation.   We  will 
research  alternative  fire  protection  systems.    If  the  results  of 
the  evaluation  indicate  we  cannot  effectively  utilize  the  halon 
tanks,  we  will  appropriately  dispose  of  them.    Project 
completion  date  is  1  August  1994. 

Present  Implementation  Status 

A.  The  recommendation  is  implemented.   CIS  employees 
received  training  in  June  1995  from  the  Missoula  Fire  Depart- 
ment.  Training  covered  proper  use  of  fire  extinguishers  and 
fire  prevention  awareness.   Computer  center  personnel  also 
reinstalled  the  electronic  device  which  monitors  computer 
room  temperature  and  noise  level.   The  electronic  device 
places  an  emergency  telephone  call  to  alert  employees  of 
conditions  which  may  indicate  power  failure  or  fire  within  the 
computer  room. 

B.  This  recommendation  is  no  longer  applicable.   During  the 
previous  audit  the  halon  tanks  were  stored  within  the 
computer  center  and  posed  a  safety  risk  to  employees  because 
they  had  not  been  inspected  to  ensure  proper  working 
condition.   The  University  determined  the  halon  tanks  can  still 
be  effectively  utilized.   The  halon  tanks  were  inspected  by  the 
Missoula  Fire  Department  and  reinstalled  in  the  computer 
center. 


Backup  Software,  Pro- 
grams, and  Data  Should 
be  Stored  Off  Site 


Recommendation  #4 

We  recommend  the  University  establish  policies  and  proce- 
dures to  ensure  backup  information  is  consistently  stored 
off  site  in  a  secure  location. 
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Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   As  the  audit 
report  indicates,  the  University  initiated  steps  during  the  course  of 
the  audit  to  properly  control  the  room  temperature  for  the  off-site 
backup  facilities.   While  university  procedures  do  address  off-site 
backup,  we  will  clarify  this  policy  by  1  July  1994. 

Present  Implementation  Status 

The  recommendation  is  implemented.   University  employees 
consistently  store  backup  software  and  data  at  the  off-site  facility. 
The  University  has  documented  its  backup  policy  and  established  a 
permanent  off-site  storage  facility. 


Electronic  Access 
Controls 


Electronic  access  controls  provide  electronic  safeguards  designed  to 
protect  computer  system  resources.   The  University  uses 
VAX/VMS  operating  system  software  to  control  electronic  access 
to  the  operating  system,  application  programs,  and  data  stored  on 
the  mainframe  computer.    VAX/ VMS  controls  access  through 
electronic  rules  which  allow  or  prevent  user  access.   In  addition, 
the  University  controls  access  to  the  Banner  and  CUFS  applications 
through  security  programs  which  control  access  to  programs,  data, 
and  specific  screens.   We  made  two  recommendations  related  to 
access  security  controls.   The  present  status  of  these  findings  is 
discussed  in  the  following  sections. 


Technical  Support 
Employee  Access  Should 
be  Limited 


Recommendation  #5 

We  recommend  the  University  evaluate  and  limit  Technical 
Support  employee  access  according  to  job  duties. 
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Initial  Agency  Response 

The  University  partially  concurs  with  the  recommendation.   We 

will  review  current  position  descriptions  and  modify,  where 
necessary,  either  access  or  job  duties.   The  University  will  also 
review  systems  which  may  provide  additional  controls  and  interim 
access  on  an  as -needed  basis.   However,  the  University  believes 
the  present  method  of  assigning  security  access  privileges  provides 
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sufficient  controls  and  additional  verifications.   Currently,  security 
responsibilities  and  duties  are  allocated  to  several  individuals, 
therefore,  no  single  employee  is  in  position  to  compromise  the 
system  security  without  detection  by  at  least  one  other  employee. 

The  audit  report  implies  that  operating  system  files  can  be 
restricted  on  a  limited  basis,  for  instance  read  access  only. 
Generally,  VAX/ VMS  operating  system  access  privileges  cannot  be 
granted  on  a  file-specific  basis.   The  technical  support  specialists 
are  assigned  duties  which  require  full  access  to  the  VAX/VMS 
operating  system  as  well  as  their  specific  areas/application. 
Furthermore,  with  our  present  method  of  assigning  security  access 
to  several  individuals,  technical  support  specialists  cannot  write, 
execute,  or  delete  operating  system  files  without  detection  by 
another  employee  or  the  system. 

Present  Implementation  Status 

The  recommendation  is  implemented.   The  University  evaluated 
technical  support  employee  access  to  operating  system  files  and 
programs  in  June  1994.   As  a  result  of  its  review  the  University 
noted  no  situations  where  technical  support  staff  job  duties  or 
access  privileges  required  modification. 


Programmer  Access 

Should  be  Restricted  Recommendation  #6 


We  recommend  the  University  restrict  programmer  access 
to  production  programs  and  data. 


Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   We  will 
review  programmer  access  to  production  programs  and  data  includ- 
ing an  evaluation  of  current  access  privileges  and  modification  of 
those  privileges,  where  applicable.   The  review  will  consider  the 
security  needs  necessary  to  ensure  continued  service  to  the  Univer- 
sity community  without  compromising  standards  and  controls.   The 
audit  report  notes  we  did  in  fact  modify  programmer  access  privi- 
leges for  the  Banner  application.   We  will  utilize  the  same  review 
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process  for  all  applications. 
October  1994. 


The  review  completion  date  is  1 


Present  Implementation  Status 

The  recommendation  is  partially  implemented.   During  the 
previous  audit  programmers  had  unrestricted  and  unlogged  access 
to  Banner,  CUFS,  and  payroll/personnel  application  production 
programs  and/or  data.   The  University  restricted  programmer 
access  to  the  Banner  application.   Following  the  audit,  the  Univer- 
sity evaluated  programmer  access  to  production  programs  and  data 
in  June  1994.   Banner  and  CUFS  log  the  date  and  user  identifica- 
tion number  when  modifications  to  production  programs  and  data 
occur.   The  University  will  replace  its  payroll/personnel  system  in 
July  1996  and  incorporate  similar  controls.   Programming  super- 
visors continue  to  have  unrestricted  access  to  application  production 
programs  and/or  data. 


System  Development 
Controls 


System  development  controls  provide  oversight  and  supervisory 
safeguards  on  development  projects.   The  University  has 
established  the  Administrative  and  Information  Systems  Develop- 
ment Services  (AIS)  function  to  provide  programming  support  to 
campus  departments.    Services  include  programming  to  modify  or 
enhance  existing  computer  applications.   In  the  original  audit  we 
reviewed  system  development  controls  established  through  AIS  and 
made  the  following  recommendation. 


The  University  Should 
Document  System  Pro- 
gramming Changes 


Recommendation  #7 

We  recommend  the  University  communicate  established 
procedures  for  documenting  system  programming  changes. 
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Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   The  pro- 
gramming personnel  recently  received  a  memo  detailing  the  revi- 
sions of  procedures.   Included  in  that  memo  was  the  documentation 
of  and  utilization  of  the  programming  changes  checklist. 
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Present  Implementation  Status 

The  recommendation  is  implemented.   In  June  1994  the 
University  communicated  established  procedures  for  documenting 
system  programming  changes  to  programming  personnel. 


Organizational  Controls 


Organizational  controls  provide  for  effective  operation,  structuring, 
and  management  of  computer  center  operations  and  services.   CIS 
provides  specific  types  of  organization  controls  including  segregat- 
ing duties,  assigning  responsibilities,  rotating  duties,  and  super- 
vision.   CIS's  primary  function  is  to  provide  computing  services  to 
campus  users.   Services  include  installing  software  and  hardware, 
problem  resolution,  mainframe  processing,  and  personal  computer 
repair  and  maintenance.    We  made  four  recommendations  related 
to  organizational  controls.   The  present  status  of  these  findings  is 
discussed  in  the  following  sections. 


User  Support  Services 
Should  be  Reviewed, 
Defined,  and  Communi- 
cated 


Recommendation  #8 

We  recommend  the  University: 

A.  Review  and  revise  user  support  procedures  to  ensure 
services  meet  user  needs. 

B.  Define  and  communicate  CIS's  available  computer 
support  services. 


Initial  Agency  Response 

A.     The  University  partially  concurs  with  the  recommendation. 

The  University  is  presently  planning  a  reorganization  of  all  its 
information  technology  services,  including  Computing  and 
Information  Services  (CIS).   This  reorganization  and  changes 
resulting  from  restructuring  may  also  redefine  user  services 
and  procedures  provided  by  CIS.   While  CIS  provides  support 
to  campus  users  in  many  capacities  now,  we  will  review  how 
this  information  is  communicated  to  campus  users  with  an 
emphasis  on  clarifying  support  services  available. 
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Performance  Evaluations 


B.      The  University  partially  concurs  with  the  recommendation. 

As  the  audit  report  notes,  CIS  provides  several  publications 
which  communicate  support  services  and  standards.   We 
believe  the  University  support  services  and  standards  are 
defined  and  communicated  to  campus.    In  an  April  1994 
publication  this  information  was  again  provided  to  campus 
users.   With  the  changes  in  standards,  applications,  and 
systems  occurring  the  next  two  years,  we  will  continue  to 
inform  the  campus  community. 

Present  Implementation  Status 

A.  The  recommendation  is  partially  implemented.   The 

University  is  reorganizing  CIS  user  support  services.   Once 
the  reorganization  is  complete,  the  University  intends  to 
communicate  its  mission,  goals,  and  central  user  support 
services  to  the  campus  community. 

B.  The  recommendation  is  implemented.   The  University 
believes  its  existing  support  services  and  standards  are  defined 
and  communicated  to  campus  computer  users.   The  University 
communicated  to  users  the  computer  support  services  it 
provides  through  campus  publications.   Following  completion 
of  the  CIS  reorganization,  the  University  intends  to  redefine 
and  formally  communicate  user  support  services  on  an 
ongoing  basis. 


Recommendation  #9 

We  recommend  the  University  ensure  management 
performs  annual  performance  evaluations  in  accordance 
with  University  policy. 


Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   The  Univer- 
sity will  ensure  that  CIS  management  consistently  follows  the 
University's  personnel  policy  for  annual  performance  evaluations. 
CIS  management  notified  departmental  managers  and  supervisors 
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on  1 1  May  1994  of  the  need  to  conduct  formal  performance  evalu- 
ations in  accordance  with  established  policies.   A  review  of  all  CIS 
position  descriptions  and  performance  evaluations  will  occur  by  1 
July  1994. 


Billing  Procedures 


Present  Implementation  Status 

The  recommendation  is  partially  implemented.   CIS  has  not 

conducted  a  review  of  all  CIS  position  descriptions  or  fully 
completed  all  annual  CIS  employee  evaluations  according  to 
University  policy.   During  the  previous  audit  we  reviewed  ten 
employee  files  and  noted  none  had  received  performance 
appraisals.   During  this  audit,  two  of  the  ten  employees  had 
received  a  performance  appraisal.   We  also  noted  three  additional 
employees  received  a  performance  appraisal. 


Recommendation  #10 

We  recommend  the  University  retain  supporting  documen- 
tation for  CIS  billings  in  accordance  with  state  policy. 


Initial  Agency  Response 

The  University  concurs  with  the  recommendation.   Effective 
fiscal  year  1995,  the  University  will  retain  all  supporting 
documentation  for  Electronic  Maintenance  Center  services  in 
accordance  with  state  policy. 

Present  Implementation  Status 

The  recommendation  is  implemented.   CIS  established  proce- 
dures to  retain  documentation  which  supports  time  charged  for 
maintenance  services.   We  verified  that  CIS  properly  retains 
supporting  documentation  for  billings  in  accordance  with  state 
policy. 
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The  Board  of  Regents 
Should  Provide  Comput- 
ing Operation  Guidance  in 
Accordance  with  State 
Law 


Recommendation  #11 

We  recommend  the  Board  of  Regents  develop  and  imple- 
ment formal  policies  which  address  safeguarding  data  and 
information  technology  resources  in  accordance  with  state 
law. 


Initial  Agency  Response 

The  Board  of  Regents  concurs  with  the  recommendation. 

Neither  the  Board  of  Regents  or  the  Office  of  the  Commissioner  of 
Higher  Education  has  a  currently  authorized  position  devoted  to 
tasks  relating  to  information  technology,  nor  does  the  current  staff 
have  the  technical  expertise  to  provide  the  Board  of  Regents  with 
policy  recommendations  related  to  information  technology.   The 
Commissioner  of  Higher  Education  and  the  Board  of  Regents  are 
committed  to  a  sharing  and  enhancement  of  information  technology 
and  resources  in  the  restructured  University  System.   The 
Commissioner  plans  to  reallocate  a  currently  vacant  position  within 
his  office  to  fill  the  need  for  a  technical  expert  in  the  data 
processing  and  information  technology  area.   It  is  his  hope  that 
during  Fiscal  Year  1995,  this  professional  will  be  hired  and  may 
begin  to  provide  the  Board  with  appropriate  policy  advice. 

Present  Implementation  Status 

This  recommendation  is  not  implemented.   The  Office  of  the 
Commissioner  of  Higher  Education  authorized  a  position  which 
will  be  devoted  to  information  technology.   The  position  was  not 
filled  during  the  fiscal  year  1995.   The  Office  is  now  drafting  the 
position  description  and  plans  to  fill  the  position  during  fiscal  year 
1996.   In  addition,  the  Board  has  appointed  a  Telecommunications 
Coordinator  for  the  Office  and  a  telecommunications  advisory 
committee.    The  committee  plans  to  devote  early  attention  to 
policies  for  the  Board  of  Regents  on  telecommunications  and  infor- 
mation technology. 
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The  University  of 

Montana 


Office  of  the  President 
The  University  of  Montana 
Missoula,  Montana  59812-1291 


(406)  243-2311,  FAX  (406)  243-2797 

1  December  1995 

Mr.  Scott  A.  Seacat 

Legislative  Auditor  J= _ 

Legislative  Audit  Division 

Room  135  State  Capitol  DEC      4  1995 

P.  O.  Box  201705 

Helena,  MT  59620-1705  ;£  : 

Dear  Mr.  Seacat: 

I  have  enclosed  The  University  of  Montana  -  Missoula's  response  to  the  EDP  Audit  Follow- 
up  report.    We  concur  with  the  reported  status  as  presented. 

We  still  have  a  couple  of  recommendations  which  require  further  attention  and  we  will 
continue  to  address  outstanding  issues  as  we  indicated  in  the  response.    Because  of  rapidly 
changing  information  technology,  we  persistently  refine  our  controls  and  commitment  in  this 
area. 

The  reorganization  of  the  Montana  University  System  and  The  University  of  Montana  - 
Missoula's  Computing  and  Information  Services  have  brought  about  many  changes  which 
will  provide  efficient  and  effective  utilization  of  information  technology.   While  not 
overlooking  controls  and  accountability,  providing  service  to  the  users  has  claimed  and  will 
claim  highest  priority  for  Computing  and  Information  Services. 

We  appreciate  the  cooperative  efforts  made  by  the  audit  team  and  thank  those  involved  for 
their^assistance. 


Sincerely,      ^^    \  / 


George  M.lDennison, 
President    \ 

Enclosure 

c:         J.  Baker,  Commissioner  of  Higher  Education 
K.  Burgmeier,  Director,  Internal  Audit 
J.  Cleaveland,  Executive  Director  of  Information  Technology 
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THE  UNIVERSITY  OF  MONTANA 

EDP  Audit  Follow-up 
30  November  1995 

Recommendation  #1 

We  recommend  the  University  establish,  test,  and  document  a  formal  disaster  recovery 

plan. 

We  concur  with  the  present  implementation  status.    As  indicated  in  the  report,  we  intend  to 
develop  the  disaster  recovery  plan  by  1  October  1996.   Implementation  of  a  plan  will  be 
contingent  on  availability  of  funding. 

Recommendation  #2 

We  recommend  the  University  evaluate  purchasing  an  alternative  power  backup  system 

for  the  Computing  and  Information  Services  computing  center. 

We  concur  with  the  present  implementation  status. 

Recommendation  #3 

We  recommend  the  University: 

A.  Implement  cost-effective  controls  to  prevent  or  limit  damage  to  computer  center 
equipment. 

B.  Remove  and  properly  dispose  of  the  computer  center  halon  tanks. 

We  concur  with  the  present  implementation  status  for  both  A  and  B. 

Recommendation  #4 

We  recommend  the  University  establish  policies  and  procedures  to  ensure  backup 

information  is  consistently  stored  off-site  in  a  secure  location. 

We  concur  with  the  present  implementation  status. 

Recommendation  #5 

We  recommend  the  University  evaluate  and  limit  Technical  Support  employee  access 

according  to  job  duties. 

We  concur  with  the  present  implementation  status.   In  the  evaluation  of  job  duties,  we 
determined  two  positions  did  not  require  the  access  provided  so  modifications  were  made  to 
their  security  profiles. 
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Recommendation  #6 

We  recommend  the  University  restrict  programmer  access  to  production  programs  and 

data. 

We  concur  with  the  present  implementation  status.     We  developed  and  are  implementing  a 
plan  to  control  and  restrict  access  for  all  production  software.    During  our  review  we 
determined  that  the  same  procedures  implemented  for  Banner  Student  and  Financial  Aid 
could  not  effectively  be  utilized  for  CUFS  or  the  payroll\personnel  systems.    We  plan  to 
implement  these  procedure  as  we  implement  the  Banner  HRIS  and  Finance  programs.    HRIS 
will  be  implement  1  July  1996.   We  purchased  Finance  and  a  firm  implementation  date  is  not 
established  but  will  be  completed  in  about  two  to  three  years. 

Recommendation  #7 

We  recommend  the  University  communicate  established  procedures  for  documenting 

system  programming  changes. 

We  concur  with  the  present  implementation  status. 

Recommendation  #8 

We  recommend  the  University: 

A.  Review  and  revise  user  support  procedures  to  ensure  services  meet  user  needs. 

B.  Define  and  communicate  CIS's  available  computer  support  services. 

A.  We  concur  with  the  present  implementation  status.    As  part  of  the  current 
reorganization  of  CIS,  each  of  the  functional  areas/ subdivisions  will  define  their 
mission  and  goals. 

B.  We  concur  with  the  present  implementation  status. 

Recommendation  #9 

We  recommend  the  University  ensure  management  performs  annual  performance 

evaluations  in  accordance  with  University  policy. 

We  concur  with  the  present  implementation  status.    Because  of  the  reorganization  within  CIS 
implementation  date  was  revised  and  will  be  fully  implemented  by  30  June  1996. 

Recommendation  #10 

We  recommend  the  University  retain  supporting  documentation  for  CIS  billings  in 

accordance  with  state  policy. 

We  concur  with  the  present  implementation  status. 
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Montana  University  System 

Office  of  Commissioner  of  Higher  Education 


2500  Broadway  o  PO  Box  203101  o  Helena,  Montana  59620-3101    :   (406)444-6570  o    FAX  (406)444-1469 


October  25,  1 995 


'  I995 


ill 


Ms.  Mary  Bryson 
Deputy  Legislative  Auditor 
Operations  and  EDP  Audit 
Office  of  the  Legislative  Auditor 
State  Capitol 
Helena,  MT  59620 

Dear  Ms.  Bryson: 

Enclosed  is  the  response  to  the  Montana  University  System  to  recommendation  #1 1  from  the 
EDP  report  University  of  Montana  (93DP-381  We  appreciate  the  opportunity  to  respond  to  this 
recommendation. 

Sincerely, 

Richard  A.  Crofts 
Deputy  Commissioner 
Montana  University  System 

enc. 
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Dawson  Community  College  (Glendive)  —  Flathead  Valley  Community  College  (Kalispell)  —  Miles  Community  College  (Miles  City) 


RECOMMENDATION  #11 


We  recommend  the  Board  of  Regents  develop  and  implement  formal  policies  which  address 
safeguarding  data  and  information  technology  resources  in  accordance  with  state  law. 

AGENCY  RESPONSE: 

Concur. 

The  Office  of  the  Commissioner  of  Higher  Education  has  a  currently  authorized  position  which 
will  be  devoted  to  information  technology.  The  position  was  not  filled  during  the  1 995  Fiscal  Year 
due  to  uncertainties  about  the  funding  of  the  office.  The  position  description  is  now  being  drafted 
and  the  position  will  be  filled  during  the  1996  Fiscal  Year.  In  addition,  Commissioner  Baker  has 
appointed  Deputy  Commissioner  Crofts  as  the  Telecommunications  Coordinator  for  the  Office. 
A  telecommunications  advisory  committee  has  been  named  and  will  be  devoting  early  attention 
to  policies  for  the  Board  of  Regents  on  telecommunications  and  information  technology. 
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